You Have Lost Control of Your Account, "What Now"
Phishing
What is it
Phishing definition (for steemit), is when someone tries to obtain your "Active or Master" password key. Once they obtain this information from a steemit user, things get bad really really fast. They obtain your password typically by embedding a tiny URL link in a comment to you that may look legit but contains a link to a fake website that replicates a real one.
Methods/Examples
Some examples from the past have been various forms of spelling steemit in a link, not used to often anymore, they have moved to more hidden methods.
Suspected Bad Comment, What Now
You absolutely need to let someone know. If you are on Discord, or Steemit chat head over to @steemcleaners chat and leave the link to them or contact @arcange on steemit chat. Here is a link to @arcange latest Phishing site reported - steemone Read this report, learn to look at where you are going and then to make damned sure you are where you expected to be, and then look again at the URL, if you can not clearly see it, then get close enough to your screen so that you know its a "2" and not a "z", or a "1" and not a "l", or an "I".
After you do that then return to the questionable comment and reply to it in a manner similar to how I did:
WARNING WARNING no one click on that link I mean NO ONE until @arcange or @guard or @steemcleaners has deemed it safe. Any tiny URL is a very real and potential danger to your account.
@guard is a creation of @anyx. Here is the announcement post announcement post introducing @guard
I've Been Hit
You have just become a victim, what now.
Here two of the best links to learn about the process, it was written by a victim, she has fully recovered her account, and is sponsoring get the word out contest about the phishing scams.
The first link is how to regain control of your account, and how to get your reputation back.
The second link helps you to quickly recover your reputation and to clean up your account from all the scam comments.
These are two links you do not want to lose. I would suggest you make a bookmark folder called Steemit Account Recovery and place these two links in there.
- Got Hacked? Here's How To Get Your Account And Reputation Score Back!
- Got Hacked? This 'Mass Comment Replacer' Script Will Help You To Recover Quickly (Video Tutorial Included)
Additional Resources
A few links to read, then add to your folder:
- Phishing Messages + FAQ
- Phishing site reported - steemone
- Introducing @guard -- a Proactive Measure to Limit Phishing on Steemit
Conclusion
It is no fun being hacked. As a new user the easiest way to avoid scams is to know where you are going when you click a link. If you did not expect to have to enter a password on that link, then DON'T. If you get to a page that says you need to re-log in leave that page, and return to one you know is safe and then see if you really need to re-log in. Remember even a stolen posting key can get you into a lot of trouble.
This post was created in support of @simplymike, and her desire to get the phishing scam and what to do message spread to as many users on steemit as possible. She recovered her account, not everyone has. If you have a friend that was unable to fully recover direct them to this or one of @smileymike 's excellent post on this subject. There are people that can help.
Good advice bashadow! You can never be too careful when it comes to securing your account in my opinion! Especially when an account can end up being worth a lot not just in monetary value but in other ways as well! This is one reason I don't use steemit on my phone and yeah I definitely always check a link before I click on it! It's unfortunate so many people out there wanna be corrupt and try to steal, but that's life I guess.. We just gotta do the best we can to protect against it which is why posts like these are so important in my opinion.
To many of the Scam and phishing post focus to much on the active and master key, the posting key is just as important. I think. But it is a subject that needs to stay in peoples fore brains a little bit.
Definitely would never give out my master key. I think people need to be more aware too and this is an awesome post for people to see that! I'll share with my followers who read my stuff as well to try and help out where I can. Thanks for this @bashadow!
That is much appreciated. We forget so easy, and post get buried and it is difficult to find them again. I could not even scroll back more than 2 months through my own blog page yesterday.
Yeah I noticed that too, along with looking into your wallet info you can only scroll so far back..
Why is the posting key just as important? Can you never change it? I'm a lil concerned cause two people have the IFC posting account and was thinking about adding another, though.. I don't want to lose control of the account..
If a person has your posting key, they can "edit" any post you made. Or they can make a post, or a comment with your name. I know group accounts are needed, like your IFC account and I am sure you pick very carefully who has access. The posting key may not be as important when it comes to losing money, or control of an account, but a few post where you apparently slam or berate or are just an asshole to will ruin your reputation pretty quick. Most of the scam warnings, and be cautious with passwords only highlight the financial side, but there are a lot of people where their Reputation is more important the the finances.
Yeah I need to tell the people who have the key to only use it on a computer and not on their phone, I think I forgot to do that and I'm a lil worried already. Can you change your posting key if someone abusive gets a hold of it? That's my main question.. Cause I think we can handle someone causing a lil chaos if you can ultimately lock them out by changing the password, but if they can never be locked out and that password can never be changed.. That's a major concern!
Yes, you can change any of the passwords as long as you have control of your account and your master password.
Good to know! That's a big relief. :)Thanks for the info!
Thanks, @bashadow.
I think you have a good point when you say the focus is too much on protecting the active and master key. Well, not too much, but the posting key should indeed be protected equally.
I love the thing you did with the links. i actually checked every link in your article (btw, the eagle redirects to my profile instead of your FC-entry.)
I hate to admit it, but I just learned I could check the links on my iPhone before I clicked them like 2 weeks ago.
Since the iPhone is my main access gate to SteemIt at the moment, it was an important lesson to learn.
Thanks for taking some time out of your busy schedule to help raise awareness. The more people know what to do to protect themselves, the less people will fall victim.
Yes, and people need to trust, but they also need to be very aware of the potential danger out there. Steemit sometimes does pop up with "You need to re-log on" but when it does I make sure I am on steemit before relogging on.
I must say the re-login thing appears on my phone a couple of times an hour. Fortunately I learned that refreshing thevpage works fine...
Yes, most of the time that works for me also, only once or twice where it did not.
Very awesome post @bashadow!!
Resteeming 👍
Just trying to help people where we can. Thanks for the resteem, the more people are reminded, maybe the fewer sad accounts that happen.
Nice and very informative post @bashadow. I didn't knew what phishing meant before. In normal life we call it hacking. It's horrible of people who take such means to obtain something. Thank u for sharing :)
Steem has potential of making people money, getting a hold of an active key makes it so easy for them to clean an account out. All the steem and SBD's that are not powered up can be transferred out of the account right away, If a person does not notice their account is compromised it only takes 7 days for power downs to happen and they theif can get a lot more money. It is nice to have some SBD's and Steem just sitting in case of emergency, but those emergency funds can go bye bye real fast during an attack.
Thank you for this post @bashadow, some people are currently in this situation and do not know where to turn to for help or assistance, i would resteem this to get the word out.
I and I am sure @simplymike thank you, Some things just are not easy to find, and people just need to be reminded every now and then.
You are right @bashadow. I just read @simplymike's post and i really feel bad about this, for the first time i did put myself in their condition. Is there something i can do?i mean how do i locate this people. this is terrible.
We just need to try to remember where to direct people to get the help they need. Post like @simplymike 's get lost in time. In two months am I going to remember? I doubt it. But now because I took my simple recommended step of creating a folder in my bookmarks I will be able to find the post that mater. I don't have many folders in my bookmarks so it will stand out for me when I have to Hunt down the link. We don't need to be experts, steemit has them, we just need to be able to send the victims to the right office so to speak.
Someone just gave me the idea to add the information to the wiki - that way it won’t get lost. And I’m going to take all the info I gathered in the contest and make a Dbook with it somehow, so it will always be available when needed.
I’m going to look into both options tomorrow...
That sounds good, Steemit needs a method for people to Identify high priority post. Or at least get someone at Steemit.inc to make a FAQ on account recovery page.
Also watch out for third party apps. There is no legit d.tube app as of yet but they creators are working on one. Use your browser. Thankfully I was able to recover my account before damage was done but I download what I thought was the d.tube app and got hacked. They stole about $5 STEEM and $30 SBD could have been worse. I noticed right away as I live on steemit. Got my passwords changed and stopped them from commenting. I have prided myself on never ever have been hacked then I flubbed up and let myself get hacked. Lesson learned and being shared.
There are so so many traps, that is why @simplymike wants to keep reminding people, and wants us to spread the word, and the word is spreading. I hope by day six of my post that I see a post from a follower or in my feed about phishing and scams, so I can go and vote and help keep the message going out.
hiya, many thanks for sharing this being new to the world of steem I wasn't aware of this so a big thank you from me, much respect and I hope you have a brilliant day
It happens quite a lot, people losing their accounts by being careless or suckered into exposing their passwords, there are very few reason to re-enter you password, so when a page ask for it people just need to know where they are 100%, to stay safe.
hiya I was aware of phishing what I was not aware of was the idea someone would be interested my posting key this was a new aspect for me, you are right in also saying about trust, there are occasions where I do automatically trust the post comment etc because its someone I know and I think this is a good point to make. it is surprising just how many times in life we do things without really thinking them through, I am trying to improve that about myself, good post, good reminder, thank you for replying I appreciate it, much respect to you